First they stole your eyeballs, now they steal your CPU!
Malvertising and covert channels
New Malvertising technology has been invented which secretly mines cryptocurrency in your browser. The article reveals how the javascript exploit works here. This is only going to get worse until a proper attention economy is put in place. An attention economy would put monetary value on human attention and if done right make it so your eyeballs cannot be stolen for free. In addition, there should be some way to block or detect all mining but I have to say this might eventually become impossible due to covert channels.
Covert channels could eventually allow attackers to secretly mine on your CPUs in a manner which is very difficult to detect if not impossible to detect. You might notice that some application is using more CPU than it should but you might not notice this if it's only a very small amount or done in a way so as to mask the fact. Covert channels for those who do not know, allow for obfuscation of the communications channels between applications. Anything from code to commands to mining can be obfuscated so that the owner of the machine cannot determine how to stop it even if they can see their CPU is being used. This is because in most cases people rely on their task manager or operating system to tell them true and correct information about what applications are doing and covert channels can confuse the operating system in this regard.
Covert channel analysis
Covert channel analysis is possible so while it might not be entirely impossible to detect covert channels it is at least in my opinion equivalent to finding a needle in a haystack in some cases. It's in my opinion going to become increasingly more difficult to know whether or not your machine has been enslaved covertly.
The good news is that users can protect themselves against surreptitious JS-based cryptocurrency miners hidden in ad code by using an ad blocker.
For now best practice is to use an ad blocker. That will stop the javascript mining attacks. An ad blocker will not however stop more sophisticated attacks which could come in the future that may use covert channels or be disguised as official software. As mining becomes increasingly profitable the sophistication of the attacks will improve to include covert channels and obfuscation to hide the fact that it's mining. It may be detectable but again this is cat and mouse.
It's interesting that JSEcoin is dong this as a feature that webmasters can use to monetize their site. https://jsecoin.com/
Have you heard of this company and what are your thoughts?
That is incredibly interesting, I think I will sign up soon and put it on my own websites.
JSEcoin seems to be offering this same service, already declared illegal by New Jersey.
I saw this same quote in the article mentioned in this steemit article: https://www.bleepingcomputer.com/news/security/malvertising-campaign-mines-cryptocurrency-right-in-your-browser/
I think JSEcoin is headquartered outside of the US but still, it seems to present legal problems. I wonder how it will turn out for them.
@dana-edwards
great insight and learning from a great blogger... after this great read on covert channel and minning... am glad for this line....
"The good news is that users can protect themselves against surreptitious JS-based cryptocurrency miners hidden in ad code by using an ad blocker."
thanks for sharing this... and keep it up!
Good post.... @dana-edwards
CPU Ghosts, I am definitely going to install the ad blocker and upgrade my PC Security
Thank you for this. What a nice treat. Hope you enjoy your weekend
JAVASCRIPT is most insecure scripting language! Read "The JavaScript Trap" https://www.gnu.org/philosophy/javascript-trap.en.html
Were been attack from all sides. I've just started using Opera it has a build in ad blocker :) Working well